Chances are, your phone is sending location data to several companies right now.
Many apps on your smartphone keep track of where you are, often for obvious-sounding reasons. Your weather app wants to tell you local conditions. Branded fast-food apps like Chick-Fil-A’s find your nearest location. Dating and hookup apps want to connect you with people in your area. Along the way, though, these apps are quietly amassing enormous amounts of data. As many as 200 million mobile devices report location data to smartphone apps, according to a 2018 New York Times investigation, with some logging a user’s location as many as 14,000 times in a single day.
Location data is especially sensitive for certain people, such as someone seeking an abortion in a U.S. state where abortion is criminalized. But no matter who you are, the data is undeniably personal, privacy experts say.
“These location points reveal everything about what we do over the course of a day,” explains ACLU lawyer and privacy expert Nathan Wessler. He says they can reveal ”where we sleep at night—because our phones are near us; where we go during the day, our friends and romantic partners. You leave work and may go to an AA meeting or stop at a psychiatrist’s office. Your patterns of life are going to be reflected in this data.”
It’s an issue that’s growing increasingly prominent, with the Associated Press reporting on September 1 that police have been using a cellphone tracking tool to “search hundreds of billions of records from 250 million mobile devices.” This week the Federal Trade Commission also sued a broker for selling sensitive location data from hundreds of millions of devices.
And companies are increasingly facing backlash from consumers.
Earlier this month, Facebook parent company, Meta, settled a class action lawsuit alleging that the company tracked users’ whereabouts even after they had turned off location settings on their phones. As part of the settlement, Meta agreed to pay $37.5 million to nearly 70 million users without admitting guilt, according to court documents filed.
Coffee chain Tim Horton’s apologized to customers after Canadian privacy regulators found the app tracked thousands of users “every few minutes” throughout the day, even when the app was closed. Even prayer-reminder and fitness apps have all been criticized for collecting data without users realizing.
The location data industry is a $12 billion market, with firms like X-Mode boasting on their websites they’ve collected such data from 25% of U.S. adults at some point. Companies aren’t just collecting location data, though—they’re also sharing it with brokers, aggregators, and potentially law enforcement. That means, for potentially millions of unknowing people, an app used to navigate traffic or save on coffee is also keeping a log of their whereabouts.
Here’s what you should know about apps that collect location data from users.
What the apps know about you
Others only keep track of your neighborhood or city. None of this data is tied to your name or identifying personal details—it’s all associated with your phone itself. However, privacy experts have shown repeatedly that it isn’t difficult to match location data with other data points they have on a person, revealing their identity and where they’ve been.
It’s another way to make money. Although location data is critical to how some apps work—for example, a mapping app—companies may share this information with third parties, usually advertisers. A local car dealership may work with an advertising company to identify, then target ads at left-leaning suburban moms interested in eco-friendly minivans. The dealership pays an ad company, who hires brokers and aggregators to combine location data with other bits of your online history (such as recent purchases, or your Facebook likes). That information helps the ad company show deals and promotions based on what they think you’re likely to buy.
“Nobody expects that those apps on our phones are also harvesting every location point as we go about our days and selling them to data brokers,” says Wessler.
Your data poses risks
Location data reveals much more than where you’ve been. Law enforcement has also used it to infer people’s immigration status, religion, and sexual orientation.
A 2020 Vice report detailed how federal agencies accessed location data collected by Muslim prayer and Quran apps as part of alleged counterterrorism efforts. Last year, a Catholic priest was outed after a news outlet claimed it used location data sourced from Grindr to show the priest’s phone was at gay bars.
Earlier this month, the ACLU released thousands of documents showing how ICE and DHS bought app location data from brokers. Harnessed from millions of mobile devices throughout the southwestern US, the data was used as part of immigration enforcement. It is unclear from the documents whether this data actually resulted in a deportation.
Health information can also be inferred based on the type of clinic someone visits. This is especially concerning for abortion-seekers. Since the Supreme Court’s reversal of Roe V. Wade privacy advocates have urged lawmakers to strengthen digital privacy protections. Each year, companies like Facebook and Google receive tens of thousands of requests for user information from law enforcement, complying almost 90% of the time. This can include the user’s search histories, profile information, or sometimes even their location history.
Google parent company Alphabet has said it will pause location tracking and minimize the data it keeps on people seeking information on abortion. Facebook CEO Mark Zuckerberg touted the platform’s encryption policies, while both companies have said they will push back on any overly broad requests. But privacy experts warn that states will will inevitably press tech companies for data, including location data, that could reveal whether a user has sought an abortion.
Where the data goes
Apps may say that they don’t “sell” your location data—but the reality of “selling” data is complicated.
In the physical world, selling a product means an item leaves the seller’s hands and ends up in the buyer’s hands. For location data, however, it’s more accurate to say brokers sell access to the data, charging for the chance to search and download information collected in a shared database.
Alan Butler, executive director of the Electronic Privacy Information Center, argues that this kind of access is “a sale as well, especially when you’re allowed to download the information.”
In some cases, the buyer is a law enforcement agency.
If any law enforcement agency wanted to track someone’s movements by following them around town in a police car, they’d need a warrant. But for years, agencies have bypassed this step by contracting with data brokers. Some location data firms market their products for government agencies specifically, boasting their ability to find people.
Privacy advocates have called for Congress to close the loophole, which they say amounts to a warrantless search.“The question we need to ask as a society is if we think the government should have access to a complete almanac of everywhere we go and everything we do, just by buying it,” says Wessler.
Lawmakers are now trying to update privacy rules, forcing companies to inform users whether they’re “sharing,” “selling” or “accessing” data. The FTC said in early August it will do more to regulate the companies who collect and share data.
What you can do if you don’t like the sound of this
The most obvious countermeasure is also the fastest: deleting apps. Both Android and Apple lets users see which apps you’ve granted location access. Importantly, you can see which apps track location only when the app is open and which track you continuously. If there’s any app you don’t rely on regularly, go ahead and delete it.
If you want to keep the app: feel empowered to decline its location requests. Users are often presented with a false binary: hit “Agree” once and be tracked or endure frequent nudges asking for location permission. Decline the location request if it isn’t necessary, and turn off notifications so the app won’t ping you constantly to turn it back on.
The system is confusing by design, Butler says, but the fault shouldn’t lie with the user. Apple and Google, which operate the most popular app stores, have set new rules around data collection over the years. Since June, both Apple and Android have required developers to summarize their privacy policies, plainly stating what data they collect. Android even has a helpful section for pausing collection from apps you don’t use much, while Apple has told developers to make it easier to make deletion requests.
Lawmakers are also working on more long-term solutions. Butler voices his support for the Fourth Amendment Is Not For Sale Act, which would require a warrant before law enforcement purchased location data from brokers. Introduced in 2021, the bill has renewed support following an August hearing implicating the FBI, DHS, and ICE, among other agencies, in utilizing the loophole.
Under the California Consumer Privacy Act, users in the state can request any company permanently delete the data it has on them, but other states have lagged in adopting similar rules.
“Even for someone who thinks they truly have nothing to hide and they are totally comfortable with every detail of their life being an open book to the government,” said Wessler, “people have to make a decision about what kind of society we want to live in, and particularly what kind of protections we want for the most vulnerable members of that society.”
- Taylor Swift Is TIME's 2023 Person of the Year
- Meet the Nation Builders
- Why Cell Phone Reception Is Getting Worse
- Column: It's Time to Scrap the Abraham Accords
- Israeli Family Celebrates Release of Hostage Grandmother
- In a New Movie, Beyoncé Finds Freedom
- The Top 100 Photos of 2023
- Want Weekly Recs on What to Watch, Read, and More? Sign Up for Worth Your Time